Solved My 1st FreeBSD server shows blocked msgs from ports 546,547, and 5355

[crestfallen1]

Hi everyone!

I just setup my very first FreeBSD server on a VPS and everything is going great but I noticed in my /var/log/security log that there is lots of IPFW Deny messages for ports UDP 546, 547, and 5535 for IPv6.

I looked those ports up and they seem to be related to dhclient(8)? My IPv6 address works absolutely fine even with those ports blocked so I was wondering if there's a way I can stop those messages from appearing?

I was able to get rid of the messages by adding the following rules to /etc/rc.firewall:

${fwcmd} add pass udp from fe80::/10 to ff02::/16 546 in
${fwcmd} add pass udp from fe80::/10 to ff02::/16 547 in
${fwcmd} add pass udp from fe80::/10 to ff02::/16 5355 in

but I'm not sure if those rules are safe or not? I plan on using this for just a basic webserver so I only need ports 22, 80, and 443 open.

Here's a part of my /etc/rc.conf:

# IPv6
ifconfig_vtnet0_ipv6="inet6 myipv6 prefixlen 64"
ipv6_defaultrouter="mygatewayipv6"

# IPFW Firewall
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="22 80 443"
firewall_allowservices="any"
firewall_logdeny="YES"

Thank you! I'm enjoying FreeBSD A LOT

 

[SirDice]

So, you get unknown connections to a bunch of random ports and the first thing you do is allow that traffic on your firewall? That's not the best way to handle situations like this. Remove them. Those ports aren't related to dhclient(8), dhclient(8) only works for IPv4. And since you don't use DHCP at all (not for IPv4 and not for IPv6), block the traffic and ignore it.

 

[crestfallen1]

So, you get unknown connections to a bunch of random ports and the first thing you do is allow that traffic on your firewall?

The logs were:

Mar 30 11:12:06 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:63897 [ff02::1:3]:5355 in via vtnet0
Mar 30 11:12:07 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:546 [ff02::1:2]:547 in via vtnet0
Mar 30 11:13:30 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:546 [ff02::1:2]:547 in via vtnet0

and it just keeps repeating

I have

ifconfig_vtnet0=DHCP

in my /etc/rc.conf

My provider is Leaseweb and they gave me an IPv6 address with a gateway that I had to setup myself so I just added the ipv6 config and left DHCP there.

Anyways I will just block and ignore it as you said. I appreciate the help!

 

[SirDice]

Please use the format tags when posting.
Thread 45189/
Thread 55543/

The logs were:

Mar 30 11:12:06 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:63897 [ff02::1:3]:5355 in via vtnet0
Mar 30 11:12:07 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:546 [ff02::1:2]:547 in via vtnet0
Mar 30 11:13:30 crestfallen kernel: ipfw: 65500 Deny UDP [fe80::morenumbers]:546 [ff02::1:2]:547 in via vtnet0

and it just keeps repeating

Yes, it's doing exactly what you told it to do.

firewall_logdeny="YES"

This little entry says, "log everything that's denied".

I have

ifconfig_vtnet0=DHCP

in my /etc/rc.conf

Right. But that's for IPv4.

My provider is Leaseweb and they gave me an IPv6 address with a gateway that I had to setup myself so I just added the ipv6 config and left DHCP there.

Which means you can safely block the DHCPv6 traffic as you're not using it.

Anyways I will just block and ignore it as you said. I appreciate the help!

Yep. Or turn off the logging.

 

[chrbr]

Dear crestfallen1,
you might want to have in /etc/rc.conf just

firewall_logging="YES"

insteal of logging all denied stuff. In /etc/ipfw.rules you can deny the items you do not want to log with the omitting log. Finally to can deny and log the rest as in the example below. Of course you can add the log option to addtional rules. This is a very helpful feature.

# some rules as example
ipfw -q add 00300 allow log tcp from any to any 80 out via bge0
ipfw -q add 2000 deny all from any to any 137
ipfw -q add 2020 deny all from any to any 138
ipfw -q add 2040 deny all from any to any 139
# Block the rest
ipfw -q add 65000 deny log all from any to any